§ 240.15c3-5 — Risk management controls for brokers or dealers with # market access.

Rule 15c3-5 — the "Market Access Rule" — requires every broker-dealer with market access to an exchange or ATS, and every broker-dealer that provides market access to a customer or other person, to establish, document, and maintain a system of risk-management controls and supervisory procedures that is reasonably designed to manage the financial, regulatory, and other risks of that business activity.

(a) Scope.

Applies to any broker-dealer with "market access" — direct access to an exchange or ATS for the purpose of entering orders — including broker-dealers providing such access to their customers (e.g., sponsored access / direct market access (DMA)) and broker-dealers trading for their own proprietary accounts.

(b) Exclusive control of controls.

A broker-dealer with market access must have direct and exclusive control over the financial and regulatory risk management controls and supervisory procedures required by paragraphs (c)(1) and (c)(2) of this section. The 2010 rule prohibited "unfiltered" (naked) sponsored access entirely; all order flow must pass through the broker-dealer's controls.

(c) Required controls.

(c)(1) Financial risk management controls.

The controls must be reasonably designed to prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds, or that appear to be erroneous. The controls must include:

1. Pre-set credit or capital thresholds for each customer, set so as to prevent the broker-dealer from exceeding its own credit and capital limits; 2. Order-size and order-price "sanity" filters (hard blocks and soft warnings, as appropriate); and 3. A mechanism for preventing duplicate orders.

(c)(2) Regulatory risk management controls.

The controls must be reasonably designed to ensure compliance with all regulatory requirements applicable to the broker-dealer in connection with market access. The controls must include:

1. Prevention of orders in securities the broker-dealer or customer is restricted from trading; 2. Pre-trade compliance with Regulation SHO (e.g., locate evidence for short sales); 3. Pre-trade compliance with Rule 201 (alternative uptick rule) where applicable; 4. Pre-trade restriction on order entry during restricted trading windows (e.g., trading halts); 5. Post-trade surveillance to identify potential manipulation, spoofing, layering, or other impermissible activity, with appropriate escalation procedures; and 6. A mechanism for preventing unauthorized access to the order-entry system.

(c)(3) Supervisory procedures.

The broker-dealer must establish, document, and maintain supervisory procedures reasonably designed to ensure the effectiveness of the controls required by (c)(1) and (c)(2). The procedures must address:

1. Regular review (at least annually) of the business activity of the broker-dealer, the effectiveness of the risk-management controls and supervisory procedures, and the overall effectiveness of the market access business; 2. Prompt corrective action in response to identified shortcomings; and 3. CEO/equivalent officer annual certification that the controls and supervisory procedures comply with the rule.

(d) CEO certification.

The broker-dealer's chief executive officer (or equivalent officer) shall, on an annual basis, certify in writing that the broker-dealer's risk- management controls and supervisory procedures comply with the rule and that the broker-dealer conducted such review.

(e) Records.

Records of the broker-dealer's controls, supervisory procedures, reviews, and CEO certification shall be preserved in accordance with Rule 17a-4 for at least three years.